US20130212684A1 - Detecting Application Harmful Behavior and Grading Application Risks for Mobile Devices - Google Patents
Detecting Application Harmful Behavior and Grading Application Risks for Mobile Devices Download PDFInfo
- Publication number
- US20130212684A1 US20130212684A1 US13/734,467 US201313734467A US2013212684A1 US 20130212684 A1 US20130212684 A1 US 20130212684A1 US 201313734467 A US201313734467 A US 201313734467A US 2013212684 A1 US2013212684 A1 US 2013212684A1
- Authority
- US
- United States
- Prior art keywords
- application
- behaviors
- determining
- security
- potential
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/02—Marketing; Price estimation or determination; Fundraising
- G06Q30/0282—Rating or review of business operators or products
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2457—Query processing with adaptation to user needs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
- G06F16/9535—Search customisation based on user profiles and personalisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Definitions
- One way a user can decide whether to download an application is to look at user reviews of the applications. However, most often, the user reviews do not mention if any of the applications include a security risk or the application may become compromised after the user reviews were submitted. Thus, after downloading the application, the application may compromise the security of the mobile electronic device and possibly the data stored by the mobile electronic device. Even worse, the applications may also compromise the security of private enterprise networks if the networks are accessed from a compromised mobile electronic device.
- a method determines a permission list from an application and generates a set of potential behaviors from the permission list.
- the set of potential behaviors is associated with actions that the application allows when executing on a mobile device where the set of potential behaviors are determined without execution of the application.
- the method determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application from the set of application marketplaces.
- a required behavior list is generated including a set of required behaviors from the functional category information and the application description information.
- the method compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors.
- the security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors.
- a security rating is determined based on the set of security related behaviors.
- a non-transitory computer-readable storage medium containing instructions, that when executed, control a computer system to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
- an apparatus comprising: one or more computer processors; and a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more computer processors to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
- FIG. 1 depicts a simplified system for providing security according to one embodiment.
- FIG. 2 depicts a more detailed example of risk assessment manager according to one embodiment.
- FIG. 3 depicts a more detailed example of an analyzer manager and a security ratings manager according to one embodiment.
- FIG. 4 depicts a more detailed example of the analyzer manager and the security ratings manager for a list of Android permissions according to one embodiment.
- FIG. 5 depicts a simplified flowchart of a method for determining security ratings according to one embodiment.
- FIG. 6 illustrates an example of a special purpose computer system configured with a security ratings system according to one embodiment.
- Particular embodiments provide a security ratings system for applications offered by application marketplaces.
- the security ratings may be tailored to how the applications operate and are used on mobile devices. A user may then review the security ratings and decide whether to download an application. Further, the security ratings may be sent to a user to warn the user of a possible security threat for an application currently residing on the user's mobile device.
- FIG. 1 depicts a simplified system 100 for providing security according to one embodiment.
- System 100 includes a back-end security system 102 that may interact with mobile devices 104 .
- back-end security system 102 provides security services to mobile devices 104 , which download applications (apps) 108 from application marketplaces 106 .
- Mobile devices 104 may be computing devices that can download applications 108 , such as smartphones, tablet computers, smart televisions, laptop computers, and personal computers.
- Mobile devices 104 include a front-end security system 110 that may analyze applications 108 for security risks on mobile device 104 .
- Front-end security system 110 evaluates applications 108 on mobile device 104 according to multiple independent aspects of security.
- front-end security system 110 may interact with back-end security system 102 to send results of analysis of applications 108 on mobile device 104 .
- front-end security system 110 may analyze the use of applications 108 , scan mobile device 104 for security risks, and then send information related to the analysis to back-end security system 102 .
- back-end security system 102 includes a risk assessment manager 112 , an application recommendation manager 114 , and an application certification manager 116 .
- Risk assessment manager 112 may assess the risk of applications 108 and provide a security rating based on the assessment.
- the security rating may be tailored to how applications 108 are used on mobile devices 104 .
- the security ratings may include certified, malicious, high-risk, and low-risk/noisy ratings. These security ratings will be described in more detail below.
- Application recommendation manager 114 may recommend new applications to users.
- application recommendation manager 114 may communicate with front-end security system 110 to determine the new application recommendations.
- application recommendation manager 114 may use user preferences and user behaviors that are determined based on actions performed on mobile device 104 in addition to information from similar users, such as a user's friends in a social network, to determine the application recommendations.
- application recommendation manager 114 may provide the application recommendations based on communication with front-end security system 110 .
- front-end security system 110 may determine the application recommendations without communication with back-end security system 102 .
- Application certification manager 116 provides certification that an instance of an application 108 in a marketplace 106 is an authentic copy. For example, an instance of an application 108 may be found in multiple application marketplaces 106 . However, specific instances of the application may not be certified copies. That is, other companies may copy an application 108 and/or modify an application 108 .
- Application certification manager 116 scans applications 108 in application marketplaces 106 , and can determine whether applications 108 are a certified copy. Thus, when a user wants to download an application 108 from a specific application marketplace 106 , the user can review the application certification to determine whether to download the application. Additionally, the application certification may indicate to users, organizations, enterprises, application stores, device providers, networks, and/or any other interested party, that the application has adequate security. The security certification may be unique to each certified application so that users can validate its authenticity.
- FIG. 2 depicts a more detailed example of risk assessment manager 112 according to one embodiment.
- An analyzer manager 202 may analyze applications 108 to provide information to a security ratings manager 204 , which uses the information to determine security ratings for applications 108 .
- the security rating is determined without analyzing information from mobile devices 104 . That is, how the application operates on mobile devices 104 is not analyzed to provide the security rating. This has a benefit in that malicious software may be determined before being downloaded onto mobile devices 104 where the applications could be harmful.
- Analyzer manager 202 may receive application packages, which may include application executable program files and associated data resources, and application metadata, such as an application name, a description, an author, a price, a download count, a review score, reviews by users, comments, a category of the application, version, an operating system (OS), icons, thumbnails, a release date, and update dates. Analyzer manager 202 may then analyze the application package and provide information regarding the application to security ratings manager 204 . The analysis that is performed is described in more detail below.
- analyzer manager 202 includes different automatic analyzer modules 206 , such as a cross-scanner 206 - 1 , a static analyzer 206 - 2 , a dynamic analyzer 206 - 3 , a signature scan engine 206 - 4 , a research formula analyzer 206 - 5 , a heuristic analyzer 206 - 6 , a root exploit analyzer 206 - 7 , and a permission analyzer 206 - 8 .
- information from all of these analyzers is used, but only a portion of the analyzers may be used in other cases to determine security ratings.
- Analyzer modules 206 such as a research formula analyzer 206 - 5 and heuristic analyzer 206 - 6 , access the application package and application metadata from the application database.
- Research formula analyzer 206 - 5 analyzes the application package and metadata using one or more rules. Rules may be specified by administrative users using conditional logic, such as a “if this then that” format via an interface, such as a web interface.
- Analyzer modules 206 receive samples of known malicious applications to identify patterns that are unique to these types of applications. Heuristic analyzer 206 - 6 then compares incoming applications with these patterns to identify any meaningful similarities that would identify an incoming application that is suspicious. A signature analyzer compares signatures of incoming applications with these patterns to identify any meaningful similarities.
- Particular embodiments may include other types of analyzer modules 206 for analyzing different security aspects of the applications.
- the set of analyzer modules 206 is managed by an analyzer framework.
- a profiler gets information from application package file.
- a cross scan analyzer 206 - 1 scans applications by other vendors to get reference.
- a malware variant scanner (not shown) detects variants of malware.
- a certificate analyzer (not shown) analyzes cryptographic certificates associated with the application and may include a blacklist and a whitelist for certificates.
- a root exploit analyzer 206 - 7 determines if an application performs any actions to circumvent operating system privileges, such as gaining root privilege.
- a permission analyzer 206 - 8 is used to analyze the operating system permissions given to the application.
- a dynamic analyzer 206 - 3 analyzes the dynamic resource use of the application, such as processor, memory, battery, data storage, network traffic, and other system resource usage of an application. Dynamic analyzer 206 - 3 also analyzes communication of any private information to a 3 rd party server or if the application performs any malicious actions at runtime. In an embodiment, dynamic analyzer 206 - 3 simulates real usage of the application. Static analyzer 206 - 2 is used to analyze the actions that the application attempts to perform.
- a digital signature or hash of the application is created to identify other instances of that application. This digital signature is provided to the signature based signature scan engine 206 - 4 for use in scanning for applications with the same signature.
- security ratings manager 204 assigns a security rating to each application 108 and may store the security rating in an application database 210 .
- the various security ratings include certified, malicious, high-risk, faked/cloned, and low-risk/noisy ratings and how mobile devices 104 uniquely use applications 108 in a mobile environment.
- the certified security rating is for secured and approved applications 108 from trusted providers that are determined to pose no threat to mobile devices 104 .
- the malicious security rating is for applications 108 that may intentionally harm mobile device 104 or any computing device coupled to mobile device 104 . This may include Trojan horses, viruses, and spyware. Further, certain behaviors that are unique to mobile devices 104 may be exhibited by malicious applications, such as sending short message service (SMS) messages without user's consent and in some cases sending premium-rate SMS messages; downloading and installing other applications without a user's consent; and compromising a user's privacy information, such as a user's contacts, global positioning satellite (GPS) location, call histories, SMS messages, and other personal information for the user.
- SMS short message service
- GPS global positioning satellite
- a high-risk security rating means that applications 108 may be potentially dangerous.
- these applications 108 may perform certain mobile device behaviors that include leaking personal identifiable information, such as a phone number, in plain text; performing actions that lead to unexpected charges on a user's telephone bill; modifying the operating system of mobile device 104 ; monitoring mobile device 104 or tracking the position of mobile device 104 ; or downloading other applications without confirmation.
- These applications 108 may also contain possible security vulnerabilities, such as hacking tools.
- the faked/cloned security rating is for applications that have been copied from certified applications.
- a company may copy a certified application and try to pass it off as the certified copy.
- the cloned copy may not function in the same way as the certified copy or may include malicious software.
- the low-risk/noisy security rating includes applications that perform behaviors related to use of mobile devices 104 .
- the behaviors include frequently pushing advertisements to a user, such as to a notification bar or through pop-up windows, aggressively displaying advertisements on a home screen even if the application is running in the background or closed; aggressively promoting other applications by prompting a user to download the applications; leaking a device identifier, such as an IMEI or IMSI, in plain text.
- these behaviors may not be a security risk as in these behaviors do not perform malicious actions to mobile device 104 . However, these actions may create noise to a user, such as distracting them with advertisements.
- a communication manager 212 may communicate the security rating to mobile devices 104 that include applications 108 that have been rated. Additionally, communication manager 212 may communicate the security rating to application marketplaces 106 . The marketplaces may display the security rating in the marketplace to allow users to determine whether they want to download applications 108 .
- FIG. 3 depicts a more detailed example of analyzer manager 202 and security ratings manager 204 according to one embodiment.
- the potential harmful behavior of applications 108 and grading of the security risks are determined without actually executing applications 108 on mobile devices 104 .
- Particular embodiments define a set of behaviors that will affect the security of mobile device 104 .
- these behaviors may include behaviors that are associated with operating a mobile device, such as initiating a phone call, sending an SMS message, tracking the location of mobile device 104 , accessing the contacts and sending contact information, accessing mobile device information, accessing the camera/video and initiating the camera or video recorder, accessing SMS content, and accessing a call log.
- a different security rating may be applied to each behavior and/or application 108 .
- An application analyzer 302 receives an application package.
- the application package may include an application executable and/or application metadata.
- Application analyzer 302 analyzes the application package to determine a permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed.
- the operating system defines or provides a list of APIs that applications can use to trigger certain actions or access certain data. Each permission is associated to a set of APIs.
- an application needs to claim proper permissions that are associated to the APIs the application wants to invoke.
- the combination of same set of APIs can generate various kinds of behaviors and thus consequences from the behaviors on the mobile device, which can be secure to the user as well as harmful to the user.
- Static analyzer 206 - 2 extracts all the permissions from an application that the application claims to use and check that the application has claimed more permissions than it needs for normal or secure behavior.
- Dynamic analyzer 206 - 3 goes one step further by analyzing how the APIs associated with the permissions that an application has declared to use are used inside the code of the application and thus determines the kind of runtime behaviors that are triggered to determine whether any of runtime behaviors are harmful to the mobile device and/or users.
- Application analyzer 302 may determine the permission list from the application's executable file or application metadata.
- PC is a permission and CPL is a permission list
- BL is the set of possible behaviors
- PBL is a potential behavior list.
- a category analyzer 304 collects category information for an application 108 from various application marketplaces 106 .
- different marketplaces 106 may be offering an instance of application 108 .
- different marketplaces 106 may categorize the same application 108 in different categories.
- one application marketplace 106 may categorize application 108 in a general “games” category and another application marketplace 106 may categorize application 108 in a “race car game” category.
- Category analyzer 304 may receive the categories that application marketplaces 106 have used based on a crawling of application marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application.
- category analyzer 304 may select a default category (DC) based on the category information received from all application marketplaces 106 .
- the default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace.
- mapping table # 2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category.
- An example of mapping table # 2 may be:
- Application description analyzer 306 includes a third mapping table # 3 (MT 3 ) that maps keywords to required behaviors.
- An example of mapping table # 3 may be:
- Keyword Behavior phone call Call phone video call Call phone dialer/Call phone
- various keywords are mapped to behaviors, such as a keyword of phone call is mapped to a behavior of making a phone call.
- application description analyzer 306 may extract keywords from the functional description and/or application name.
- the keywords may be information that describes application 108 , such as an e-mail messaging application, a game, etc.
- Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table # 3 .
- a required behavior manager 308 receives required behaviors from category analyzer 304 and application description analyzer 306 . Required behavior manager 308 may then output a set of required behaviors. Required behavior manager 308 may use the following algorithm to determine the set of required behaviors:
- the above algorithm determines a first behavior list (RBL) based on the output of mapping table # 2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL 2 is determined by applying the keywords to a mapping table # 3 . The second required behavior list BL 2 is then added into the required behavior list RBL.
- a behavior comparison manager 310 receives the required behavior list in addition to the potential behavior list. Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates an abused behavior list (ABL). The following algorithm may be used:
- security ratings determiner 312 in security ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the abused behavior list. For example, security ratings determiner 312 may review each behavior and assign a security rating. That is, each behavior may be given one of the security ratings.
- security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of behaviors that are in the low-risk/noisy security rating, security rating determiner 312 assigns a low-risk/noisy security rating to application 108 . Also, the number of behaviors may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108 . In other cases, if one behavior is included in a certain security rating, such as malicious, then that security rating is assigned to application 108 . For example, if an application exhibits just one malicious behavior, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious behavior.
- Particular embodiments may also be used for an AndroidTM application.
- a list of Android permissions may be mapped into a security rating.
- FIG. 4 depicts a more detailed example of analyzer manager 202 and security ratings manager 204 for a list of Android permissions according to one embodiment.
- An application analyzer 302 receives an application package. As discussed above, the application package may include an application executable and/or application metadata. Application analyzer 302 analyzes the application package to determine an Android permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed in Android. Application analyzer 302 may determine the permission list from the application's executable file or application metadata.
- Application analyzer 302 maps each permission to a security rating (SR(P)) using a first mapping table # 1 (MT 1 ).
- a category analyzer 304 collects category information for an application 108 from various application marketplaces 106 .
- different marketplaces 106 may be offering an instance of application 108 .
- different marketplaces 106 may categorize the same application 108 in different categories.
- one application marketplace 106 may categorize application 108 in a general games category and another application marketplace 106 may categorize application 108 in a race car game category.
- Category analyzer 304 may receive the categories that application marketplaces 106 have used based on a crawling of application marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application.
- category analyzer 304 may select a default category (DC) based on the category information received from all application marketplaces 106 .
- the default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace.
- mapping table # 2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category
- An application description analyzer 306 receives an application description, which may include an application name and synopsis of the application functionality.
- a crawler may crawl through various application marketplaces 106 to determine the application name and description from each application marketplace 106 .
- different marketplaces may have a different description of an instance of application 108 .
- different applications may have different names in different marketplaces, but may be the same application.
- Application description analyzer 306 includes a third mapping table # 3 (MT 3 ) that maps keywords to required behaviors.
- application description analyzer 306 may extract keywords from the functional description and/or application name.
- the keywords may be information that describes application 108 , such as an e-mail messaging application, a game, etc.
- Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table # 3 .
- a required behavior manager 308 receives required behaviors from category analyzer 304 and application description analyzer 306 . Required behavior manager 308 may then output a set of required behaviors. Required behavior manager 308 may use the following algorithm to determine the set of required behaviors:
- the above algorithm determines a first behavior list (RBL) based on the output of mapping table # 2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL 2 is determined by applying the keywords to a mapping table # 3 . The second required behavior list BL 2 is then added into the required behavior list RBL.
- a behavior comparison manager 310 receives the required behavior list in addition to the potential behavior lists. Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates a violated permission list (VPL).
- VPL violated permission list
- security ratings determiner 312 in security ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the violated permission list. For example, security ratings determiner 312 may review each permission and assign a security rating. For example, each permission may be given one of the security ratings.
- security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of permissions that are in the low-risk/noisy security rating, security rating determiner 312 assigns a low-risk/noisy security rating to application 108 . Also, the number of permissions may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108 . In other cases, if one permission is included in a certain security rating, such as malicious, then that security rating is assigned to application 108 . For example, if an application exhibits just one malicious permission, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious permission.
- FIG. 5 depicts a simplified flowchart 500 of a method for determining security ratings according to one embodiment.
- risk assessment manager 112 determines a permission list from an application 108 .
- the permission list may be determined from an application package.
- risk assessment manager 112 generates a set of potential behaviors from the permission list.
- the set of potential behaviors are associated with actions that the application allows when executing on a mobile device.
- risk assessment manager 112 determines the set of potential behaviors without execution of the application.
- risk assessment manager 112 determines functional category information regarding a functional category from a set of application marketplaces 106 that contain the application.
- the functional category information may be different for different marketplaces 106 and a default category may be determined.
- risk assessment manager 112 determines application description information for the application from the set of application marketplaces.
- the application description information may be keywords from a synopsis of the application.
- risk assessment manager 112 generates a required behavior list including a set of required behaviors from the functional category information and the application description information. Risk assessment manager 112 may use mapping tables to generate the required behavior list.
- risk assessment manager 112 compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors.
- the security related behaviors may be abused behaviors or abused permissions as described above.
- the security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors.
- risk assessment manager 112 determines a security rating based on the set of abused behaviors.
- FIG. 6 illustrates an example of a special purpose computer system 600 configured with a security ratings system according to one embodiment.
- Computer system 600 includes a bus 602 , network interface 604 , a computer processor 606 , a memory 608 , a storage device 610 , and a display 612 .
- Bus 602 may be a communication mechanism for communicating information.
- Computer processor 604 may execute computer programs stored in memory 608 or storage device 608 . Any suitable programming language can be used to implement the routines of particular embodiments including C, C++, Java, assembly language, etc. Different programming techniques can be employed such as procedural or object oriented. The routines can execute on a single computer system 600 or multiple computer systems 600 . Further, multiple processors 606 may be used.
- Memory 608 may store instructions, such as source code or binary code, for performing the techniques described above. Memory 608 may also be used for storing variables or other intermediate information during execution of instructions to be executed by processor 606 . Examples of memory 608 include random access memory (RAM), read only memory (ROM), or both.
- RAM random access memory
- ROM read only memory
- Storage device 610 may also store instructions, such as source code or binary code, for performing the techniques described above. Storage device 610 may additionally store data used and manipulated by computer processor 606 .
- storage device 610 may be a database that is accessed by computer system 600 .
- Other examples of storage device 610 include random access memory (RAM), read only memory (ROM), a hard drive, a magnetic disk, an optical disk, a CD-ROM, a DVD, a flash memory, a USB memory card, or any other medium from which a computer can read.
- Memory 608 or storage device 610 may be an example of a non-transitory computer-readable storage medium for use by or in connection with computer system 600 .
- the computer-readable storage medium contains instructions for controlling a computer system to be operable to perform functions described by particular embodiments.
- the instructions when executed by one or more computer processors, may be operable to perform that which is described in particular embodiments.
- Computer system 600 includes a display 612 for displaying information to a computer user.
- Display 612 may display a user interface used by a user to interact with computer system 600 .
- Computer system 600 also includes a network interface 604 to provide data communication connection over a network, such as a local area network (LAN) or wide area network (WAN). Wireless networks may also be used.
- network interface 604 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information.
- Computer system 600 can send and receive information through network interface 604 across a network 614 , which may be an Intranet or the Internet.
- Computer system 600 may interact with other computer systems 600 through network 614 .
- client-server communications occur through network 614 .
- implementations of particular embodiments may be distributed across computer systems 600 through network 614 .
Abstract
Description
- The present disclosure claims priority to U.S. Provisional App. No. 61/582,910, entitled “Secure Application Distribution Platform”, filed Jan. 4, 2012, the contents of which is incorporated herein by reference in its entirety.
- The present disclosure is related to U.S. patent application Ser. No. ______, entitled “APPLICATION RECOMMENDATION SYSTEM,”, and U.S. patent application Ser. No. ______, entitled “APPLICATION CERTIFICATION AND SEARCH SYSTEM”, and filed concurrently, the contents of which are incorporated herein by reference in their entirety.
- As mobile electronic devices, such as smartphones, tablet computers, and smart televisions, are more commonly used, providing security on these devices becomes more important. For example, with the advent of “smart” devices, the mobile electronic devices allow users to download applications from application marketplaces. Some application marketplaces screen the applications that are offered. However, the screening process may not always perform comprehensive tests on the applications for security risks. Further, some application marketplaces are not regulated and allow any companies to place applications in the marketplace for download. This may increase the risk that some of these applications may include security risks because applications are not pre-screened.
- One way a user can decide whether to download an application is to look at user reviews of the applications. However, most often, the user reviews do not mention if any of the applications include a security risk or the application may become compromised after the user reviews were submitted. Thus, after downloading the application, the application may compromise the security of the mobile electronic device and possibly the data stored by the mobile electronic device. Even worse, the applications may also compromise the security of private enterprise networks if the networks are accessed from a compromised mobile electronic device.
- In one embodiment, a method determines a permission list from an application and generates a set of potential behaviors from the permission list. The set of potential behaviors is associated with actions that the application allows when executing on a mobile device where the set of potential behaviors are determined without execution of the application. The method then determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application from the set of application marketplaces. A required behavior list is generated including a set of required behaviors from the functional category information and the application description information. The method compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors. The security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors. A security rating is determined based on the set of security related behaviors.
- In one embodiment, a non-transitory computer-readable storage medium is provided containing instructions, that when executed, control a computer system to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
- In one embodiment, an apparatus is provided comprising: one or more computer processors; and a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more computer processors to be configured for: determining a permission list from an application; generating a set of potential behaviors from the permission list, the set of potential behaviors associated with actions that the application allows when executing on a mobile device, wherein the set of potential behaviors are determined without execution of the application; determining functional category information regarding a functional category from a set of application marketplaces that contain the application; determining application description information for the application from the set of application marketplaces; generating a required behavior list including a set of required behaviors from the functional category information and the application description information; comparing the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors, wherein security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors; and determining a security rating based on the set of security related behaviors.
- The following detailed description and accompanying drawings provide a better understanding of the nature and advantages of particular embodiments.
-
FIG. 1 depicts a simplified system for providing security according to one embodiment. -
FIG. 2 depicts a more detailed example of risk assessment manager according to one embodiment. -
FIG. 3 depicts a more detailed example of an analyzer manager and a security ratings manager according to one embodiment. -
FIG. 4 depicts a more detailed example of the analyzer manager and the security ratings manager for a list of Android permissions according to one embodiment. -
FIG. 5 depicts a simplified flowchart of a method for determining security ratings according to one embodiment. -
FIG. 6 illustrates an example of a special purpose computer system configured with a security ratings system according to one embodiment. - Described herein are techniques for a security ratings system. In the following description, for purposes of explanation, numerous examples and specific details are set forth in order to provide a thorough understanding of particular embodiments. Particular embodiments as defined by the claims may include some or all of the features in these examples alone or in combination with other features described below, and may further include modifications and equivalents of the features and concepts described herein.
- Particular embodiments provide a security ratings system for applications offered by application marketplaces. The security ratings may be tailored to how the applications operate and are used on mobile devices. A user may then review the security ratings and decide whether to download an application. Further, the security ratings may be sent to a user to warn the user of a possible security threat for an application currently residing on the user's mobile device.
-
FIG. 1 depicts asimplified system 100 for providing security according to one embodiment.System 100 includes a back-end security system 102 that may interact withmobile devices 104. In one embodiment, back-end security system 102 provides security services tomobile devices 104, which download applications (apps) 108 fromapplication marketplaces 106. -
Mobile devices 104 may be computing devices that can download applications 108, such as smartphones, tablet computers, smart televisions, laptop computers, and personal computers.Mobile devices 104 include a front-end security system 110 that may analyze applications 108 for security risks onmobile device 104. Front-end security system 110 evaluates applications 108 onmobile device 104 according to multiple independent aspects of security. In some examples, front-end security system 110 may interact with back-end security system 102 to send results of analysis of applications 108 onmobile device 104. For example, front-end security system 110 may analyze the use of applications 108, scanmobile device 104 for security risks, and then send information related to the analysis to back-end security system 102. - In one embodiment, back-
end security system 102 includes arisk assessment manager 112, anapplication recommendation manager 114, and anapplication certification manager 116.Risk assessment manager 112 may assess the risk of applications 108 and provide a security rating based on the assessment. In one embodiment, the security rating may be tailored to how applications 108 are used onmobile devices 104. For example, the security ratings may include certified, malicious, high-risk, and low-risk/noisy ratings. These security ratings will be described in more detail below. -
Application recommendation manager 114 may recommend new applications to users. In one embodiment,application recommendation manager 114 may communicate with front-end security system 110 to determine the new application recommendations. For example,application recommendation manager 114 may use user preferences and user behaviors that are determined based on actions performed onmobile device 104 in addition to information from similar users, such as a user's friends in a social network, to determine the application recommendations. In one embodiment,application recommendation manager 114 may provide the application recommendations based on communication with front-end security system 110. In other embodiments, front-end security system 110 may determine the application recommendations without communication with back-end security system 102. -
Application certification manager 116 provides certification that an instance of an application 108 in amarketplace 106 is an authentic copy. For example, an instance of an application 108 may be found inmultiple application marketplaces 106. However, specific instances of the application may not be certified copies. That is, other companies may copy an application 108 and/or modify an application 108.Application certification manager 116 scans applications 108 inapplication marketplaces 106, and can determine whether applications 108 are a certified copy. Thus, when a user wants to download an application 108 from aspecific application marketplace 106, the user can review the application certification to determine whether to download the application. Additionally, the application certification may indicate to users, organizations, enterprises, application stores, device providers, networks, and/or any other interested party, that the application has adequate security. The security certification may be unique to each certified application so that users can validate its authenticity. -
FIG. 2 depicts a more detailed example ofrisk assessment manager 112 according to one embodiment. Ananalyzer manager 202 may analyze applications 108 to provide information to asecurity ratings manager 204, which uses the information to determine security ratings for applications 108. In one embodiment, the security rating is determined without analyzing information frommobile devices 104. That is, how the application operates onmobile devices 104 is not analyzed to provide the security rating. This has a benefit in that malicious software may be determined before being downloaded ontomobile devices 104 where the applications could be harmful. -
Analyzer manager 202 may receive application packages, which may include application executable program files and associated data resources, and application metadata, such as an application name, a description, an author, a price, a download count, a review score, reviews by users, comments, a category of the application, version, an operating system (OS), icons, thumbnails, a release date, and update dates.Analyzer manager 202 may then analyze the application package and provide information regarding the application tosecurity ratings manager 204. The analysis that is performed is described in more detail below. - In one embodiment,
analyzer manager 202 includes differentautomatic analyzer modules 206, such as a cross-scanner 206-1, a static analyzer 206-2, a dynamic analyzer 206-3, a signature scan engine 206-4, a research formula analyzer 206-5, a heuristic analyzer 206-6, a root exploit analyzer 206-7, and a permission analyzer 206-8. In some cases, information from all of these analyzers is used, but only a portion of the analyzers may be used in other cases to determine security ratings. -
Analyzer modules 206, such as a research formula analyzer 206-5 and heuristic analyzer 206-6, access the application package and application metadata from the application database. Research formula analyzer 206-5 analyzes the application package and metadata using one or more rules. Rules may be specified by administrative users using conditional logic, such as a “if this then that” format via an interface, such as a web interface.Analyzer modules 206 receive samples of known malicious applications to identify patterns that are unique to these types of applications. Heuristic analyzer 206-6 then compares incoming applications with these patterns to identify any meaningful similarities that would identify an incoming application that is suspicious. A signature analyzer compares signatures of incoming applications with these patterns to identify any meaningful similarities. - Particular embodiments may include other types of
analyzer modules 206 for analyzing different security aspects of the applications. In an embodiment, the set ofanalyzer modules 206 is managed by an analyzer framework. A profiler gets information from application package file. A cross scan analyzer 206-1 scans applications by other vendors to get reference. A malware variant scanner (not shown) detects variants of malware. A certificate analyzer (not shown) analyzes cryptographic certificates associated with the application and may include a blacklist and a whitelist for certificates. A root exploit analyzer 206-7 determines if an application performs any actions to circumvent operating system privileges, such as gaining root privilege. A permission analyzer 206-8 is used to analyze the operating system permissions given to the application. A dynamic analyzer 206-3 analyzes the dynamic resource use of the application, such as processor, memory, battery, data storage, network traffic, and other system resource usage of an application. Dynamic analyzer 206-3 also analyzes communication of any private information to a 3rd party server or if the application performs any malicious actions at runtime. In an embodiment, dynamic analyzer 206-3 simulates real usage of the application. Static analyzer 206-2 is used to analyze the actions that the application attempts to perform. - In addition to automatic analysis, a
manual analysis manager 208 may be used. For example, based on the automatic analysis,analyzer manager 202 may send certain applications 108 tomanual analysis manager 208. A security analyst may then manually analyze applications 108. For example, the manual analysis may rate the security risk of application 108 or may confirm or deny the automatic security risk information determined byanalyzer manager 202. Once the security analyst review is performed,manual analysis manager 208 may send the security analyst review back toanalyzer manager 202, which can take into account the security analyst review in its automatic analysis. - If the suspicious application is determined to compromise one or more aspects of security, a digital signature or hash of the application is created to identify other instances of that application. This digital signature is provided to the signature based signature scan engine 206-4 for use in scanning for applications with the same signature.
- Depending on the analysis,
security ratings manager 204 assigns a security rating to each application 108 and may store the security rating in anapplication database 210. The various security ratings include certified, malicious, high-risk, faked/cloned, and low-risk/noisy ratings and howmobile devices 104 uniquely use applications 108 in a mobile environment. - In one embodiment, the certified security rating is for secured and approved applications 108 from trusted providers that are determined to pose no threat to
mobile devices 104. The malicious security rating is for applications 108 that may intentionally harmmobile device 104 or any computing device coupled tomobile device 104. This may include Trojan horses, viruses, and spyware. Further, certain behaviors that are unique tomobile devices 104 may be exhibited by malicious applications, such as sending short message service (SMS) messages without user's consent and in some cases sending premium-rate SMS messages; downloading and installing other applications without a user's consent; and compromising a user's privacy information, such as a user's contacts, global positioning satellite (GPS) location, call histories, SMS messages, and other personal information for the user. - A high-risk security rating means that applications 108 may be potentially dangerous. For example, these applications 108 may perform certain mobile device behaviors that include leaking personal identifiable information, such as a phone number, in plain text; performing actions that lead to unexpected charges on a user's telephone bill; modifying the operating system of
mobile device 104; monitoringmobile device 104 or tracking the position ofmobile device 104; or downloading other applications without confirmation. These applications 108 may also contain possible security vulnerabilities, such as hacking tools. - The faked/cloned security rating is for applications that have been copied from certified applications. For example, a company may copy a certified application and try to pass it off as the certified copy. However, the cloned copy may not function in the same way as the certified copy or may include malicious software.
- The low-risk/noisy security rating includes applications that perform behaviors related to use of
mobile devices 104. The behaviors include frequently pushing advertisements to a user, such as to a notification bar or through pop-up windows, aggressively displaying advertisements on a home screen even if the application is running in the background or closed; aggressively promoting other applications by prompting a user to download the applications; leaking a device identifier, such as an IMEI or IMSI, in plain text. It should be noted that these behaviors may not be a security risk as in these behaviors do not perform malicious actions tomobile device 104. However, these actions may create noise to a user, such as distracting them with advertisements. - Once the security ratings are stored in
storage 210, acommunication manager 212 may communicate the security rating tomobile devices 104 that include applications 108 that have been rated. Additionally,communication manager 212 may communicate the security rating toapplication marketplaces 106. The marketplaces may display the security rating in the marketplace to allow users to determine whether they want to download applications 108. -
FIG. 3 depicts a more detailed example ofanalyzer manager 202 andsecurity ratings manager 204 according to one embodiment. In one embodiment, the potential harmful behavior of applications 108 and grading of the security risks are determined without actually executing applications 108 onmobile devices 104. Particular embodiments define a set of behaviors that will affect the security ofmobile device 104. For example, these behaviors may include behaviors that are associated with operating a mobile device, such as initiating a phone call, sending an SMS message, tracking the location ofmobile device 104, accessing the contacts and sending contact information, accessing mobile device information, accessing the camera/video and initiating the camera or video recorder, accessing SMS content, and accessing a call log. Based on which behaviors are determined that an application 108 can perform, a different security rating may be applied to each behavior and/or application 108. - An
application analyzer 302 receives an application package. As discussed above, the application package may include an application executable and/or application metadata.Application analyzer 302 analyzes the application package to determine a permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed. The operating system defines or provides a list of APIs that applications can use to trigger certain actions or access certain data. Each permission is associated to a set of APIs. To access the APIs, an application needs to claim proper permissions that are associated to the APIs the application wants to invoke. However, the combination of same set of APIs can generate various kinds of behaviors and thus consequences from the behaviors on the mobile device, which can be secure to the user as well as harmful to the user. Static analyzer 206-2 extracts all the permissions from an application that the application claims to use and check that the application has claimed more permissions than it needs for normal or secure behavior. Dynamic analyzer 206-3 goes one step further by analyzing how the APIs associated with the permissions that an application has declared to use are used inside the code of the application and thus determines the kind of runtime behaviors that are triggered to determine whether any of runtime behaviors are harmful to the mobile device and/or users.Application analyzer 302 may determine the permission list from the application's executable file or application metadata. -
Application analyzer 302 uses the permission list to generate a set of potential behaviors for application 108. In one embodiment, a first mapping table (MT1) is used to determine the potential behaviors. For example, mapping table #1 may map different permissions to different potential behaviors. For each permission in the permission list, a list of potential behaviors is determined. The following may be used to determine the set of potential behaviors: -
For each permission combination PC in MT1: if PC in CPL BL = MT1(PC); Add BL into PBL,
where PC is a permission and CPL is a permission list, BL is the set of possible behaviors, and PBL is a potential behavior list. The above determines the list of behaviors by applying the permissions to mapping table #1 and then adds the behaviors determined as potential behaviors in the PBL. An example of mapping table #1 may be: -
Permission Behavior READ_CONTACT Get contact list Get call history
In the above, if the permission of “READ_CONTACT” is determined, then the behaviors of accessing the contact list and accessing the call history are added. The potential behaviors in the PBL for all permissions will be used later in the process described below. - A
category analyzer 304 collects category information for an application 108 fromvarious application marketplaces 106. For example,different marketplaces 106 may be offering an instance of application 108. However,different marketplaces 106 may categorize the same application 108 in different categories. For example, oneapplication marketplace 106 may categorize application 108 in a general “games” category and anotherapplication marketplace 106 may categorize application 108 in a “race car game” category.Category analyzer 304 may receive the categories thatapplication marketplaces 106 have used based on a crawling ofapplication marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application. - In one embodiment,
category analyzer 304 may select a default category (DC) based on the category information received from allapplication marketplaces 106. The default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace. -
Category analyzer 304 then uses a second mapping table #2 (MT2) that maps categories to required behaviors. For example, mapping table #2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category. An example of mapping table #2 may be: -
Category Behavior Social Network Get contact list Access Internet
In the above, if the category of “Social Network” is determined, then the behavior of accessing the contact list and the Internet is determined. - An
application description analyzer 306 receives an application description, which may include an application name and synopsis of the application functionality. In one example, a crawler may crawl throughvarious application marketplaces 106 to determine the application name and description from eachapplication marketplace 106. For example, different marketplaces may have a different description of an instance of application 108. Further, different applications may have different names in different marketplaces, but may be the same application. -
Application description analyzer 306 includes a third mapping table #3 (MT3) that maps keywords to required behaviors. An example of mapping table #3 may be: -
Keyword Behavior phone call Call phone video call Call phone dialer/Call phone
In the above, various keywords are mapped to behaviors, such as a keyword of phone call is mapped to a behavior of making a phone call. For example,application description analyzer 306 may extract keywords from the functional description and/or application name. The keywords may be information that describes application 108, such as an e-mail messaging application, a game, etc.Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table #3. - A required
behavior manager 308 receives required behaviors fromcategory analyzer 304 andapplication description analyzer 306.Required behavior manager 308 may then output a set of required behaviors.Required behavior manager 308 may use the following algorithm to determine the set of required behaviors: -
BL1 = MT2(DC); Add BL1 into RBL; For each keywords K in TF BL2 = MT3(DC, K); Add BL2 into RBL,
where BL1 is a first set of required behaviors fromcategory analyzer 304, DC is a default category, RBL is a required behavior list, BL2 is a second list of required behaviors fromdescription analyzer 306, and K is a constant. The above algorithm determines a first behavior list (RBL) based on the output of mapping table #2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL2 is determined by applying the keywords to a mapping table #3. The second required behavior list BL2 is then added into the required behavior list RBL. - A
behavior comparison manager 310 receives the required behavior list in addition to the potential behavior list.Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates an abused behavior list (ABL). The following algorithm may be used: -
For each behavior B in PBL if it not in RBL Add B into ABL;
If the abused behavior list is an empty set, i.e., no behaviors were added into the abused behavior list, security ratings determiner 312 insecurity ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the abused behavior list. For example, security ratings determiner 312 may review each behavior and assign a security rating. That is, each behavior may be given one of the security ratings. - Once each behavior has been rated, then security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of behaviors that are in the low-risk/noisy security rating,
security rating determiner 312 assigns a low-risk/noisy security rating to application 108. Also, the number of behaviors may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108. In other cases, if one behavior is included in a certain security rating, such as malicious, then that security rating is assigned to application 108. For example, if an application exhibits just one malicious behavior, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious behavior. - Particular embodiments may also be used for an Android™ application. In this case, a list of Android permissions may be mapped into a security rating.
-
FIG. 4 depicts a more detailed example ofanalyzer manager 202 andsecurity ratings manager 204 for a list of Android permissions according to one embodiment. Anapplication analyzer 302 receives an application package. As discussed above, the application package may include an application executable and/or application metadata.Application analyzer 302 analyzes the application package to determine an Android permission list, which may be a set of permissions that are set in application 108 to allow certain behaviors to be performed in Android.Application analyzer 302 may determine the permission list from the application's executable file or application metadata. -
Application analyzer 302 maps each permission to a security rating (SR(P)) using a first mapping table #1 (MT1). - A
category analyzer 304 collects category information for an application 108 fromvarious application marketplaces 106. For example,different marketplaces 106 may be offering an instance of application 108. However,different marketplaces 106 may categorize the same application 108 in different categories. For example, oneapplication marketplace 106 may categorize application 108 in a general games category and anotherapplication marketplace 106 may categorize application 108 in a race car game category.Category analyzer 304 may receive the categories thatapplication marketplaces 106 have used based on a crawling ofapplication marketplaces 106 for category information. For example, once an application 108 is found, the crawler captures how the marketplace categorizes the application. - In one embodiment,
category analyzer 304 may select a default category (DC) based on the category information received from allapplication marketplaces 106. The default category may be selected by selecting one application marketplace that is well-known or trusted and using the category of that application marketplace. -
Category analyzer 304 then uses a second mapping table #2 (MT2) that maps categories to required behaviors. For example, mapping table #2 may include all possible default categories and the required behaviors that are to be performed for any application that is categorized in that category - An
application description analyzer 306 receives an application description, which may include an application name and synopsis of the application functionality. In one example, a crawler may crawl throughvarious application marketplaces 106 to determine the application name and description from eachapplication marketplace 106. For example, different marketplaces may have a different description of an instance of application 108. Further, different applications may have different names in different marketplaces, but may be the same application. -
Application description analyzer 306 includes a third mapping table #3 (MT3) that maps keywords to required behaviors. For example,application description analyzer 306 may extract keywords from the functional description and/or application name. The keywords may be information that describes application 108, such as an e-mail messaging application, a game, etc.Application description analyzer 306 outputs required behaviors based on inputting the keywords into mapping table #3. - A required
behavior manager 308 receives required behaviors fromcategory analyzer 304 andapplication description analyzer 306.Required behavior manager 308 may then output a set of required behaviors.Required behavior manager 308 may use the following algorithm to determine the set of required behaviors: -
BL1 = MT2(DC); Add BL1 into RBL; For each keywords K in TF BL2 = MT3(DC, K); Add BL2 into RBL,
where BL1 is a first set of required behaviors fromcategory analyzer 304, DC is a default category, RBL is a required behavior list, BL2 is a second list of required behaviors fromdescription analyzer 306, and K is a constant. The above algorithm determines a first behavior list (RBL) based on the output of mapping table #2 and adds the behaviors into a required behavior list (RBL). For each of the keywords determined from the application description, a behavior list BL2 is determined by applying the keywords to a mapping table #3. The second required behavior list BL2 is then added into the required behavior list RBL. - A
behavior comparison manager 310 receives the required behavior list in addition to the potential behavior lists.Behavior comparison manager 310 then compares the required behaviors to potential behaviors and generates a violated permission list (VPL). The following algorithm may be used: -
For each behavior B in PBL if it not in RBL Add B into VPL;
If the violated permission list is an empty set, i.e., no permissions were added into the violated permission list, security ratings determiner 312 insecurity ratings manager 204 may consider application 108 to be certified. Otherwise, security ratings determiner 312 may base the security rating on each behavior on the violated permission list. For example, security ratings determiner 312 may review each permission and assign a security rating. For example, each permission may be given one of the security ratings. - Once each permission has been rated, then security ratings determiner 312 determines an overall security rating. For example, if application 108 includes a high percentage of permissions that are in the low-risk/noisy security rating,
security rating determiner 312 assigns a low-risk/noisy security rating to application 108. Also, the number of permissions may be applied to a threshold for each security rating to determine whether that security rating should be assigned to application 108. In other cases, if one permission is included in a certain security rating, such as malicious, then that security rating is assigned to application 108. For example, if an application exhibits just one malicious permission, then it is desirable to assign this application as being malicious because it may not be desirable to have an application perform any malicious permission. -
FIG. 5 depicts asimplified flowchart 500 of a method for determining security ratings according to one embodiment. At 502,risk assessment manager 112 determines a permission list from an application 108. The permission list may be determined from an application package. - At 504,
risk assessment manager 112 generates a set of potential behaviors from the permission list. The set of potential behaviors are associated with actions that the application allows when executing on a mobile device. In one embodiment,risk assessment manager 112 determines the set of potential behaviors without execution of the application. - At 506,
risk assessment manager 112 determines functional category information regarding a functional category from a set ofapplication marketplaces 106 that contain the application. The functional category information may be different fordifferent marketplaces 106 and a default category may be determined. - At 508,
risk assessment manager 112 determines application description information for the application from the set of application marketplaces. The application description information may be keywords from a synopsis of the application. - At 510,
risk assessment manager 112 generates a required behavior list including a set of required behaviors from the functional category information and the application description information.Risk assessment manager 112 may use mapping tables to generate the required behavior list. - At 512,
risk assessment manager 112 compares the set of required behaviors to the set of potential behaviors to determine a set of security related behaviors. The security related behaviors may be abused behaviors or abused permissions as described above. In one embodiment, the security related behaviors are behaviors found in the set of potential behaviors, but not in the set of required behaviors. At 514,risk assessment manager 112 determines a security rating based on the set of abused behaviors. -
FIG. 6 illustrates an example of a specialpurpose computer system 600 configured with a security ratings system according to one embodiment.Computer system 600 includes abus 602,network interface 604, acomputer processor 606, amemory 608, astorage device 610, and adisplay 612. -
Bus 602 may be a communication mechanism for communicating information.Computer processor 604 may execute computer programs stored inmemory 608 orstorage device 608. Any suitable programming language can be used to implement the routines of particular embodiments including C, C++, Java, assembly language, etc. Different programming techniques can be employed such as procedural or object oriented. The routines can execute on asingle computer system 600 ormultiple computer systems 600. Further,multiple processors 606 may be used. -
Memory 608 may store instructions, such as source code or binary code, for performing the techniques described above.Memory 608 may also be used for storing variables or other intermediate information during execution of instructions to be executed byprocessor 606. Examples ofmemory 608 include random access memory (RAM), read only memory (ROM), or both. -
Storage device 610 may also store instructions, such as source code or binary code, for performing the techniques described above.Storage device 610 may additionally store data used and manipulated bycomputer processor 606. For example,storage device 610 may be a database that is accessed bycomputer system 600. Other examples ofstorage device 610 include random access memory (RAM), read only memory (ROM), a hard drive, a magnetic disk, an optical disk, a CD-ROM, a DVD, a flash memory, a USB memory card, or any other medium from which a computer can read. -
Memory 608 orstorage device 610 may be an example of a non-transitory computer-readable storage medium for use by or in connection withcomputer system 600. The computer-readable storage medium contains instructions for controlling a computer system to be operable to perform functions described by particular embodiments. The instructions, when executed by one or more computer processors, may be operable to perform that which is described in particular embodiments. -
Computer system 600 includes adisplay 612 for displaying information to a computer user.Display 612 may display a user interface used by a user to interact withcomputer system 600. -
Computer system 600 also includes anetwork interface 604 to provide data communication connection over a network, such as a local area network (LAN) or wide area network (WAN). Wireless networks may also be used. In any such implementation,network interface 604 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information. -
Computer system 600 can send and receive information throughnetwork interface 604 across anetwork 614, which may be an Intranet or the Internet.Computer system 600 may interact withother computer systems 600 throughnetwork 614. In some examples, client-server communications occur throughnetwork 614. Also, implementations of particular embodiments may be distributed acrosscomputer systems 600 throughnetwork 614. - As used in the description herein and throughout the claims that follow, “a”, “an”, and “the” includes plural references unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims that follow, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
- The above description illustrates various embodiments along with examples of how aspects of particular embodiments may be implemented. The above examples and embodiments should not be deemed to be the only embodiments, and are presented to illustrate the flexibility and advantages of particular embodiments as defined by the following claims. Based on the above disclosure and the following claims, other arrangements, embodiments, implementations and equivalents may be employed without departing from the scope hereof as defined by the claims.
- The above description illustrates various embodiments along with examples of how aspects of particular embodiments may be implemented. The above examples and embodiments should not be deemed to be the only embodiments, and are presented to illustrate the flexibility and advantages of particular embodiments as defined by the following claims. Based on the above disclosure and the following claims, other arrangements, embodiments, implementations and equivalents may be employed without departing from the scope hereof as defined by the claims.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/734,467 US9063964B2 (en) | 2012-01-04 | 2013-01-04 | Detecting application harmful behavior and grading application risks for mobile devices |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201261582910P | 2012-01-04 | 2012-01-04 | |
US13/734,467 US9063964B2 (en) | 2012-01-04 | 2013-01-04 | Detecting application harmful behavior and grading application risks for mobile devices |
Publications (2)
Publication Number | Publication Date |
---|---|
US20130212684A1 true US20130212684A1 (en) | 2013-08-15 |
US9063964B2 US9063964B2 (en) | 2015-06-23 |
Family
ID=48780718
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/734,453 Active 2033-04-09 US9020925B2 (en) | 2012-01-04 | 2013-01-04 | Application certification and search system |
US13/734,550 Active US9213729B2 (en) | 2012-01-04 | 2013-01-04 | Application recommendation system |
US13/734,467 Active 2033-01-08 US9063964B2 (en) | 2012-01-04 | 2013-01-04 | Detecting application harmful behavior and grading application risks for mobile devices |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/734,453 Active 2033-04-09 US9020925B2 (en) | 2012-01-04 | 2013-01-04 | Application certification and search system |
US13/734,550 Active US9213729B2 (en) | 2012-01-04 | 2013-01-04 | Application recommendation system |
Country Status (1)
Country | Link |
---|---|
US (3) | US9020925B2 (en) |
Cited By (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140245448A1 (en) * | 2013-02-27 | 2014-08-28 | Electronics And Telecommunications Research Institute | Apparatus and method for analyzing permission of application for mobile devices and detecting risk |
US20140280098A1 (en) * | 2013-03-15 | 2014-09-18 | Quixey, Inc. | Performing application search based on application gaminess |
US8918387B1 (en) | 2012-04-04 | 2014-12-23 | Symantec Corporation | Systems and methods for classifying applications configured for cloud-based platforms |
US20150067830A1 (en) * | 2013-08-28 | 2015-03-05 | Amazon Technologies, Inc. | Dynamic application security verification |
CN104462971A (en) * | 2014-12-17 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program recognition method and device according to application program declaration characteristics |
EP2884784A1 (en) * | 2013-12-11 | 2015-06-17 | Alcatel Lucent | Privacy ratings for applications of mobile terminals |
US20150172146A1 (en) * | 2012-06-05 | 2015-06-18 | Lookout, Inc. | Identifying manner of usage for software assets in applications on user devices |
US9152694B1 (en) * | 2013-06-17 | 2015-10-06 | Appthority, Inc. | Automated classification of applications for mobile devices |
US9183383B1 (en) * | 2014-12-05 | 2015-11-10 | AO Kaspersky Lab | System and method of limiting the operation of trusted applications in presence of suspicious programs |
US20150332049A1 (en) * | 2014-05-15 | 2015-11-19 | Northwestern University | System and method for determining description-to-permission fidelity in mobile applications |
US9208215B2 (en) | 2012-12-27 | 2015-12-08 | Lookout, Inc. | User classification based on data gathered from a computing device |
US9223961B1 (en) * | 2012-04-04 | 2015-12-29 | Symantec Corporation | Systems and methods for performing security analyses of applications configured for cloud-based platforms |
US20160012221A1 (en) * | 2013-03-05 | 2016-01-14 | Telecom Italia S.P.A. | Method For Measuring and Monitoring the Access Levels to Personal Data Generated by Resources of a User Device |
US20160055336A1 (en) * | 2013-03-28 | 2016-02-25 | Mwstory Co., Ltd. | System for preventing malicious intrusion based on smart device and method thereof |
US20160110543A1 (en) * | 2014-10-21 | 2016-04-21 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting malicious application based on visualization similarity |
US9323511B1 (en) * | 2013-02-28 | 2016-04-26 | Google Inc. | Splitting application permissions on devices |
WO2016108378A1 (en) * | 2014-12-30 | 2016-07-07 | Samsung Electronics Co., Ltd. | Electronic system with risk presentation mechanism and method of operation thereof |
US9589129B2 (en) | 2012-06-05 | 2017-03-07 | Lookout, Inc. | Determining source of side-loaded software |
US9596256B1 (en) * | 2014-07-23 | 2017-03-14 | Lookingglass Cyber Solutions, Inc. | Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface |
US9652617B1 (en) * | 2013-06-25 | 2017-05-16 | Amazon Technologies, Inc. | Analyzing security of applications |
US9665465B1 (en) * | 2012-11-19 | 2017-05-30 | Amazon Technologies, Inc. | Automated determination of application permissions |
US9762596B2 (en) | 2011-05-24 | 2017-09-12 | Palo Alto Networks, Inc. | Heuristic botnet detection |
US9762608B1 (en) * | 2012-09-28 | 2017-09-12 | Palo Alto Networks, Inc. | Detecting malware |
US9804869B1 (en) | 2013-07-30 | 2017-10-31 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using dynamic patching |
US9805193B1 (en) | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US20170372066A1 (en) * | 2016-06-28 | 2017-12-28 | International Business Machines Corporation | Detecting harmful applications prior to installation on a user device |
US20180039774A1 (en) * | 2016-08-08 | 2018-02-08 | International Business Machines Corporation | Install-Time Security Analysis of Mobile Applications |
US9921827B1 (en) | 2013-06-25 | 2018-03-20 | Amazon Technologies, Inc. | Developing versions of applications based on application fingerprinting |
US9942251B1 (en) * | 2012-09-28 | 2018-04-10 | Palo Alto Networks, Inc. | Malware detection based on traffic analysis |
US9990481B2 (en) | 2012-07-23 | 2018-06-05 | Amazon Technologies, Inc. | Behavior-based identity system |
US10019575B1 (en) | 2013-07-30 | 2018-07-10 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US10037548B2 (en) | 2013-06-25 | 2018-07-31 | Amazon Technologies, Inc. | Application recommendations based on application and lifestyle fingerprinting |
US10114944B1 (en) * | 2015-11-12 | 2018-10-30 | Symantec Corporation | Systems and methods for classifying permissions on mobile devices |
US10114950B2 (en) | 2012-10-19 | 2018-10-30 | McAFEE, LLC. | Mobile application management |
US10152597B1 (en) | 2014-12-18 | 2018-12-11 | Palo Alto Networks, Inc. | Deduplicating malware |
US10204221B2 (en) | 2014-07-14 | 2019-02-12 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US10218697B2 (en) | 2017-06-09 | 2019-02-26 | Lookout, Inc. | Use of device risk evaluation to manage access to services |
CN109445874A (en) * | 2018-11-15 | 2019-03-08 | 济南浪潮高新科技投资发展有限公司 | A kind of more activation systems and method with safety certification based on embedded Linux system |
US10242187B1 (en) * | 2016-09-14 | 2019-03-26 | Symantec Corporation | Systems and methods for providing integrated security management |
US10269029B1 (en) | 2013-06-25 | 2019-04-23 | Amazon Technologies, Inc. | Application monetization based on application and lifestyle fingerprinting |
WO2019108919A1 (en) * | 2017-12-01 | 2019-06-06 | Seven Networks, Llc | Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators |
US20190354686A1 (en) * | 2018-05-16 | 2019-11-21 | Target Brands, Inc. | Electronic security evaluator |
US10867041B2 (en) | 2013-07-30 | 2020-12-15 | Palo Alto Networks, Inc. | Static and dynamic security analysis of apps for mobile devices |
US10956573B2 (en) | 2018-06-29 | 2021-03-23 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11010474B2 (en) | 2018-06-29 | 2021-05-18 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11087024B2 (en) | 2016-01-29 | 2021-08-10 | Samsung Electronics Co., Ltd. | System and method to enable privacy-preserving real time services against inference attacks |
US11196765B2 (en) | 2019-09-13 | 2021-12-07 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
US11259183B2 (en) | 2015-05-01 | 2022-02-22 | Lookout, Inc. | Determining a security state designation for a computing device based on a source of software |
US20220094716A1 (en) * | 2013-10-18 | 2022-03-24 | Nokia Technologies Oy | Method and system for operating and monitoring permissions for applications in an electronic device |
Families Citing this family (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102957727A (en) * | 2011-08-26 | 2013-03-06 | 腾讯科技(深圳)有限公司 | Client side, server and friend feed prompting system and friend feed prompting method in SNS (social network service) network |
JP5857636B2 (en) * | 2011-11-02 | 2016-02-10 | ソニー株式会社 | Information processing apparatus, information processing method, and program |
US9544212B2 (en) | 2012-01-27 | 2017-01-10 | Microsoft Technology Licensing, Llc | Data usage profiles for users and applications |
US9275227B2 (en) * | 2012-04-05 | 2016-03-01 | International Business Machines Corporation | Policy driven administration of mobile applications |
US11368760B2 (en) * | 2012-08-17 | 2022-06-21 | Flextronics Ap, Llc | Applications generating statistics for user behavior |
US8612470B1 (en) * | 2012-12-28 | 2013-12-17 | Dropbox, Inc. | Application recommendation using stored files |
KR20140106887A (en) * | 2013-02-27 | 2014-09-04 | 삼성전자주식회사 | A method for displaying program and an electronic device thereof |
US9335818B2 (en) * | 2013-03-15 | 2016-05-10 | Pandora Media | System and method of personalizing playlists using memory-based collaborative filtering |
US9501762B2 (en) | 2013-04-23 | 2016-11-22 | Dropbox, Inc. | Application recommendation using automatically synchronized shared folders |
US9955286B2 (en) * | 2013-05-08 | 2018-04-24 | Natalya Segal | Smart wearable devices and system therefor |
WO2015042290A1 (en) * | 2013-09-19 | 2015-03-26 | Quixey, Inc. | Identifying gaps in search results |
US10021169B2 (en) * | 2013-09-20 | 2018-07-10 | Nuance Communications, Inc. | Mobile application daily user engagement scores and user profiles |
US9589024B2 (en) * | 2013-09-27 | 2017-03-07 | Intel Corporation | Mechanism for facilitating dynamic and proactive data management for computing devices |
US9336278B2 (en) * | 2013-09-30 | 2016-05-10 | Google Inc. | User experience and user flows for third-party application recommendation in cloud storage systems |
US9633081B1 (en) | 2013-09-30 | 2017-04-25 | Google Inc. | Systems and methods for determining application installation likelihood based on user network characteristics |
US9390141B2 (en) | 2013-09-30 | 2016-07-12 | Google Inc. | Systems and methods for determining application installation likelihood based on probabilistic combination of subordinate methods |
US9177255B1 (en) | 2013-09-30 | 2015-11-03 | Google Inc. | Cloud systems and methods for determining the probability that a second application is installed based on installation characteristics |
US11188543B2 (en) | 2013-10-14 | 2021-11-30 | International Business Machines Corporation | Utilizing social information for recommending an application |
CN104866505B (en) * | 2014-02-25 | 2021-04-06 | 腾讯科技(深圳)有限公司 | Application recommendation method and device |
CN104603753B (en) * | 2014-03-19 | 2018-10-19 | 华为技术有限公司 | A kind of recommendation method, system and the server of application |
WO2015167587A1 (en) * | 2014-04-30 | 2015-11-05 | Hewlett-Packard Development Company, L.P. | Determining application deployment recommendations |
US9536199B1 (en) | 2014-06-09 | 2017-01-03 | Google Inc. | Recommendations based on device usage |
WO2016000555A1 (en) * | 2014-06-30 | 2016-01-07 | 北京奇虎科技有限公司 | Methods and systems for recommending social network-based content and news |
KR101682671B1 (en) * | 2014-07-31 | 2016-12-06 | 엔에이치엔엔터테인먼트 주식회사 | Service method and system for recommending post associated appstore with timeline |
US9348571B2 (en) * | 2014-08-25 | 2016-05-24 | General Electric Company | Method, device, and program storage device for autonomous software life cycle management |
US9542451B2 (en) * | 2014-09-05 | 2017-01-10 | Google Inc. | Mobile application search ranking |
US9070088B1 (en) | 2014-09-16 | 2015-06-30 | Trooly Inc. | Determining trustworthiness and compatibility of a person |
CN104298522B (en) * | 2014-09-22 | 2018-08-31 | 联想(北京)有限公司 | A kind of information processing method and the first electronic equipment |
US20160124959A1 (en) * | 2014-10-31 | 2016-05-05 | Google Inc. | System and method to recommend a bundle of items based on item/user tagging and co-install graph |
US20160162148A1 (en) * | 2014-12-04 | 2016-06-09 | Google Inc. | Application launching and switching interface |
US9509857B2 (en) * | 2014-12-10 | 2016-11-29 | Google Inc. | Mobile device push notification using mobile application usage history |
US10332184B2 (en) * | 2014-12-15 | 2019-06-25 | Samsung Electronics Co., Ltd. | Personalized application recommendations |
US20160188169A1 (en) * | 2014-12-31 | 2016-06-30 | TCL Research America Inc. | Least touch mobile device |
US11373212B2 (en) * | 2015-03-03 | 2022-06-28 | Zeta Global Corp. | System and method for data enrichment for requests for advertising on mobile devices |
RU2592460C1 (en) * | 2015-03-31 | 2016-07-20 | Закрытое акционерное общество "Лаборатория Касперского" | System and method of controlling privileges of consumers of personal data |
US20170085677A1 (en) * | 2015-09-18 | 2017-03-23 | Quixey, Inc. | Recommending Applications |
US20170147581A1 (en) * | 2015-11-24 | 2017-05-25 | Facebook, Inc. | Systems and methods for sharing content |
CN106170791A (en) * | 2016-01-20 | 2016-11-30 | 马岩 | A kind of information classification approach based on app and system |
US10536540B2 (en) * | 2016-05-02 | 2020-01-14 | Microsoft Technology Licensing, Llc | Computing system architecture for producing file analytics |
US20170353603A1 (en) * | 2016-06-03 | 2017-12-07 | Facebook, Inc. | Recommending applications using social networking information |
CN106682056B (en) * | 2016-07-15 | 2018-11-20 | 腾讯科技(深圳)有限公司 | The determination method, apparatus and system of correlation between different application software |
US9947037B2 (en) | 2016-09-14 | 2018-04-17 | International Business Machines Corporation | Software recommendation services for targeted user groups |
US10262157B2 (en) * | 2016-09-28 | 2019-04-16 | International Business Machines Corporation | Application recommendation based on permissions |
US11269961B2 (en) | 2016-10-28 | 2022-03-08 | Microsoft Technology Licensing, Llc | Systems and methods for App query driven results |
US10169576B2 (en) * | 2016-11-15 | 2019-01-01 | International Business Machines Corporation | Malware collusion detection |
US11423109B2 (en) * | 2017-08-31 | 2022-08-23 | Shenzhen Heytap Technology Corp., Ltd. | Information processing method, server and computer program product |
CN107707642B (en) * | 2017-09-22 | 2019-08-13 | Oppo广东移动通信有限公司 | Brush amount terminal determines method and device |
CN107908686B (en) * | 2017-10-31 | 2020-01-14 | Oppo广东移动通信有限公司 | Information pushing method and device, server and readable storage medium |
US11410075B2 (en) * | 2018-01-15 | 2022-08-09 | Microsoft Technology Licensing, Llc | Contextually-aware recommendations for assisting users with task completion |
US10824547B2 (en) * | 2018-09-10 | 2020-11-03 | Servicenow, Inc. | Automated certification testing for application deployment |
EP3629159A1 (en) * | 2018-09-28 | 2020-04-01 | Telefonica Digital España, S.L.U. | Risk computation for software extensions |
US11144425B1 (en) * | 2019-06-28 | 2021-10-12 | NortonLifeLock Inc. | Systems and methods for crowdsourced application advisory |
US20210142334A1 (en) * | 2019-11-08 | 2021-05-13 | Ul Llc | Technologies for using machine learning to determine product certification eligibility |
US11474806B2 (en) | 2019-11-19 | 2022-10-18 | Salesforce.Com, Inc. | Automatically producing and code-signing binaries |
US11227323B2 (en) * | 2020-03-30 | 2022-01-18 | EMC IP Holding Company LLC | Smart software recommendation using an application network |
CN111737576B (en) * | 2020-06-22 | 2023-09-19 | 中国银行股份有限公司 | Application function personalized recommendation method and device |
WO2022052038A1 (en) * | 2020-09-11 | 2022-03-17 | Citrix Systems, Inc. | Systems and methods for application access |
WO2023096501A1 (en) * | 2021-11-24 | 2023-06-01 | Xero Limited | Methods and systems for building and/or using a graph data structure |
KR20240038404A (en) * | 2022-09-16 | 2024-03-25 | 삼성전자주식회사 | Electronic apparatus displaying icons and control method thereof |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120072991A1 (en) * | 2010-09-22 | 2012-03-22 | Rohyt Belani | Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms |
US20120317638A1 (en) * | 2011-06-07 | 2012-12-13 | Research In Motion Limited | Method and devices for managing permission requests to allow access to a computing resource |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5813009A (en) * | 1995-07-28 | 1998-09-22 | Univirtual Corp. | Computer based records management system method |
US6772139B1 (en) * | 1998-10-05 | 2004-08-03 | Smith, Iii Julius O. | Method and apparatus for facilitating use of hypertext links on the world wide web |
JP4238411B2 (en) * | 1999-04-12 | 2009-03-18 | ソニー株式会社 | Information processing system |
US7089552B2 (en) * | 2002-08-29 | 2006-08-08 | Sun Microsystems, Inc. | System and method for verifying installed software |
US8676830B2 (en) * | 2004-03-04 | 2014-03-18 | Yahoo! Inc. | Keyword recommendation for internet search engines |
KR100835631B1 (en) * | 2004-07-20 | 2008-06-09 | 후지쯔 가부시끼가이샤 | Electronic document management system |
EP1920393A2 (en) * | 2005-07-22 | 2008-05-14 | Yogesh Chunilal Rathod | Universal knowledge management and desktop search system |
WO2007076453A1 (en) * | 2005-12-21 | 2007-07-05 | Decernis, Llc | Document validation system and method |
US7769712B2 (en) * | 2005-12-21 | 2010-08-03 | Decernis, Llc | Document validation system and method |
US7963839B2 (en) * | 2006-09-19 | 2011-06-21 | Mudalla Technology, Inc. | Regulated gaming exchange |
JP4371327B2 (en) * | 2007-10-24 | 2009-11-25 | 富士通株式会社 | Application processing program, application processing method, mediation server device, and mediation server system |
US7904530B2 (en) * | 2008-01-29 | 2011-03-08 | Palo Alto Research Center Incorporated | Method and apparatus for automatically incorporating hypothetical context information into recommendation queries |
US8763071B2 (en) * | 2008-07-24 | 2014-06-24 | Zscaler, Inc. | Systems and methods for mobile application security classification and enforcement |
US8881128B2 (en) * | 2010-02-25 | 2014-11-04 | Blackberry Limited | Method and system for acquisition of an application for installation at a communication device |
US20120072283A1 (en) * | 2010-09-16 | 2012-03-22 | Mobilmeme, Inc. | Mobile application recommendation system and method |
EP2633487B1 (en) * | 2010-10-29 | 2020-11-25 | Orange | Method and system to recommend applications from an application market place to a new device |
US8468164B1 (en) * | 2011-03-09 | 2013-06-18 | Amazon Technologies, Inc. | Personalized recommendations based on related users |
EP2712442A1 (en) * | 2011-05-09 | 2014-04-02 | Google, Inc. | Recommending applications for mobile devices based on installation histories |
US9781540B2 (en) * | 2011-07-07 | 2017-10-03 | Qualcomm Incorporated | Application relevance determination based on social context |
-
2013
- 2013-01-04 US US13/734,453 patent/US9020925B2/en active Active
- 2013-01-04 US US13/734,550 patent/US9213729B2/en active Active
- 2013-01-04 US US13/734,467 patent/US9063964B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120072991A1 (en) * | 2010-09-22 | 2012-03-22 | Rohyt Belani | Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms |
US20120317638A1 (en) * | 2011-06-07 | 2012-12-13 | Research In Motion Limited | Method and devices for managing permission requests to allow access to a computing resource |
Cited By (82)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9762596B2 (en) | 2011-05-24 | 2017-09-12 | Palo Alto Networks, Inc. | Heuristic botnet detection |
US9223961B1 (en) * | 2012-04-04 | 2015-12-29 | Symantec Corporation | Systems and methods for performing security analyses of applications configured for cloud-based platforms |
US8918387B1 (en) | 2012-04-04 | 2014-12-23 | Symantec Corporation | Systems and methods for classifying applications configured for cloud-based platforms |
US9940454B2 (en) | 2012-06-05 | 2018-04-10 | Lookout, Inc. | Determining source of side-loaded software using signature of authorship |
US9215074B2 (en) | 2012-06-05 | 2015-12-15 | Lookout, Inc. | Expressing intent to control behavior of application components |
US10256979B2 (en) | 2012-06-05 | 2019-04-09 | Lookout, Inc. | Assessing application authenticity and performing an action in response to an evaluation result |
US20150172146A1 (en) * | 2012-06-05 | 2015-06-18 | Lookout, Inc. | Identifying manner of usage for software assets in applications on user devices |
US20150169877A1 (en) * | 2012-06-05 | 2015-06-18 | Lookout, Inc. | Monitoring for fraudulent or harmful behavior in applications being installed on user devices |
US9407443B2 (en) | 2012-06-05 | 2016-08-02 | Lookout, Inc. | Component analysis of software applications on computing devices |
US11336458B2 (en) * | 2012-06-05 | 2022-05-17 | Lookout, Inc. | Evaluating authenticity of applications based on assessing user device context for increased security |
US9589129B2 (en) | 2012-06-05 | 2017-03-07 | Lookout, Inc. | Determining source of side-loaded software |
US9992025B2 (en) | 2012-06-05 | 2018-06-05 | Lookout, Inc. | Monitoring installed applications on user devices |
US10419222B2 (en) * | 2012-06-05 | 2019-09-17 | Lookout, Inc. | Monitoring for fraudulent or harmful behavior in applications being installed on user devices |
US9990481B2 (en) | 2012-07-23 | 2018-06-05 | Amazon Technologies, Inc. | Behavior-based identity system |
US9942251B1 (en) * | 2012-09-28 | 2018-04-10 | Palo Alto Networks, Inc. | Malware detection based on traffic analysis |
US9762608B1 (en) * | 2012-09-28 | 2017-09-12 | Palo Alto Networks, Inc. | Detecting malware |
US11157616B2 (en) | 2012-10-19 | 2021-10-26 | Mcafee, Llc | Mobile application management |
US10114950B2 (en) | 2012-10-19 | 2018-10-30 | McAFEE, LLC. | Mobile application management |
US9665465B1 (en) * | 2012-11-19 | 2017-05-30 | Amazon Technologies, Inc. | Automated determination of application permissions |
US9208215B2 (en) | 2012-12-27 | 2015-12-08 | Lookout, Inc. | User classification based on data gathered from a computing device |
US20140245448A1 (en) * | 2013-02-27 | 2014-08-28 | Electronics And Telecommunications Research Institute | Apparatus and method for analyzing permission of application for mobile devices and detecting risk |
US9141801B2 (en) * | 2013-02-27 | 2015-09-22 | Electronics And Telecommunications Research Institute | Apparatus and method for analyzing permission of application for mobile devices and detecting risk |
US9323511B1 (en) * | 2013-02-28 | 2016-04-26 | Google Inc. | Splitting application permissions on devices |
US20160012221A1 (en) * | 2013-03-05 | 2016-01-14 | Telecom Italia S.P.A. | Method For Measuring and Monitoring the Access Levels to Personal Data Generated by Resources of a User Device |
US9824210B2 (en) * | 2013-03-05 | 2017-11-21 | Telecom Italia S.P.A. | Method for measuring and monitoring the access levels to personal data generated by resources of a user device |
US20140280098A1 (en) * | 2013-03-15 | 2014-09-18 | Quixey, Inc. | Performing application search based on application gaminess |
US20160055336A1 (en) * | 2013-03-28 | 2016-02-25 | Mwstory Co., Ltd. | System for preventing malicious intrusion based on smart device and method thereof |
US9875356B2 (en) * | 2013-03-28 | 2018-01-23 | Mwstory Co., Ltd. | System for preventing malicious intrusion based on smart device and method thereof |
US10148667B2 (en) | 2013-06-17 | 2018-12-04 | Appthority, Inc. | Automated classification of applications for mobile devices |
US9639694B2 (en) * | 2013-06-17 | 2017-05-02 | Appthority, Inc. | Automated classification of applications for mobile devices |
US20160012220A1 (en) * | 2013-06-17 | 2016-01-14 | Appthority, Inc. | Automated classification of applications for mobile devices |
US9152694B1 (en) * | 2013-06-17 | 2015-10-06 | Appthority, Inc. | Automated classification of applications for mobile devices |
US10269029B1 (en) | 2013-06-25 | 2019-04-23 | Amazon Technologies, Inc. | Application monetization based on application and lifestyle fingerprinting |
US9652617B1 (en) * | 2013-06-25 | 2017-05-16 | Amazon Technologies, Inc. | Analyzing security of applications |
US9921827B1 (en) | 2013-06-25 | 2018-03-20 | Amazon Technologies, Inc. | Developing versions of applications based on application fingerprinting |
US10037548B2 (en) | 2013-06-25 | 2018-07-31 | Amazon Technologies, Inc. | Application recommendations based on application and lifestyle fingerprinting |
US10678918B1 (en) | 2013-07-30 | 2020-06-09 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US9804869B1 (en) | 2013-07-30 | 2017-10-31 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using dynamic patching |
US10867041B2 (en) | 2013-07-30 | 2020-12-15 | Palo Alto Networks, Inc. | Static and dynamic security analysis of apps for mobile devices |
US10019575B1 (en) | 2013-07-30 | 2018-07-10 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US20150067830A1 (en) * | 2013-08-28 | 2015-03-05 | Amazon Technologies, Inc. | Dynamic application security verification |
US9591003B2 (en) * | 2013-08-28 | 2017-03-07 | Amazon Technologies, Inc. | Dynamic application security verification |
US20170132414A1 (en) * | 2013-08-28 | 2017-05-11 | Amazon Technologies, Inc. | Dynamic Application Security Verification |
US11689577B2 (en) * | 2013-10-18 | 2023-06-27 | Nokia Technologies Oy | Method and system for operating and monitoring permissions for applications in an electronic device |
US20220094716A1 (en) * | 2013-10-18 | 2022-03-24 | Nokia Technologies Oy | Method and system for operating and monitoring permissions for applications in an electronic device |
EP2884784A1 (en) * | 2013-12-11 | 2015-06-17 | Alcatel Lucent | Privacy ratings for applications of mobile terminals |
US10204225B2 (en) * | 2014-05-15 | 2019-02-12 | Northwestern University | System and method for determining description-to-permission fidelity in mobile applications |
US20150332049A1 (en) * | 2014-05-15 | 2015-11-19 | Northwestern University | System and method for determining description-to-permission fidelity in mobile applications |
US10204221B2 (en) | 2014-07-14 | 2019-02-12 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US10515210B2 (en) | 2014-07-14 | 2019-12-24 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US9596256B1 (en) * | 2014-07-23 | 2017-03-14 | Lookingglass Cyber Solutions, Inc. | Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface |
US10511621B1 (en) | 2014-07-23 | 2019-12-17 | Lookingglass Cyber Solutions, Inc. | Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface |
US20160110543A1 (en) * | 2014-10-21 | 2016-04-21 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting malicious application based on visualization similarity |
US9183383B1 (en) * | 2014-12-05 | 2015-11-10 | AO Kaspersky Lab | System and method of limiting the operation of trusted applications in presence of suspicious programs |
CN104462971A (en) * | 2014-12-17 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program recognition method and device according to application program declaration characteristics |
US10846404B1 (en) | 2014-12-18 | 2020-11-24 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US11036859B2 (en) | 2014-12-18 | 2021-06-15 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US9805193B1 (en) | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US10152597B1 (en) | 2014-12-18 | 2018-12-11 | Palo Alto Networks, Inc. | Deduplicating malware |
US9626515B2 (en) | 2014-12-30 | 2017-04-18 | Samsung Electronics Co., Ltd. | Electronic system with risk presentation mechanism and method of operation thereof |
WO2016108378A1 (en) * | 2014-12-30 | 2016-07-07 | Samsung Electronics Co., Ltd. | Electronic system with risk presentation mechanism and method of operation thereof |
US11259183B2 (en) | 2015-05-01 | 2022-02-22 | Lookout, Inc. | Determining a security state designation for a computing device based on a source of software |
US10114944B1 (en) * | 2015-11-12 | 2018-10-30 | Symantec Corporation | Systems and methods for classifying permissions on mobile devices |
US11087024B2 (en) | 2016-01-29 | 2021-08-10 | Samsung Electronics Co., Ltd. | System and method to enable privacy-preserving real time services against inference attacks |
US20170372066A1 (en) * | 2016-06-28 | 2017-12-28 | International Business Machines Corporation | Detecting harmful applications prior to installation on a user device |
US10248788B2 (en) * | 2016-06-28 | 2019-04-02 | International Business Machines Corporation | Detecting harmful applications prior to installation on a user device |
US10621333B2 (en) * | 2016-08-08 | 2020-04-14 | International Business Machines Corporation | Install-time security analysis of mobile applications |
US20180039774A1 (en) * | 2016-08-08 | 2018-02-08 | International Business Machines Corporation | Install-Time Security Analysis of Mobile Applications |
US10242187B1 (en) * | 2016-09-14 | 2019-03-26 | Symantec Corporation | Systems and methods for providing integrated security management |
US10218697B2 (en) | 2017-06-09 | 2019-02-26 | Lookout, Inc. | Use of device risk evaluation to manage access to services |
US11038876B2 (en) | 2017-06-09 | 2021-06-15 | Lookout, Inc. | Managing access to services based on fingerprint matching |
WO2019108919A1 (en) * | 2017-12-01 | 2019-06-06 | Seven Networks, Llc | Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators |
US10915638B2 (en) * | 2018-05-16 | 2021-02-09 | Target Brands Inc. | Electronic security evaluator |
US20190354686A1 (en) * | 2018-05-16 | 2019-11-21 | Target Brands, Inc. | Electronic security evaluator |
US10956573B2 (en) | 2018-06-29 | 2021-03-23 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11604878B2 (en) | 2018-06-29 | 2023-03-14 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11620383B2 (en) | 2018-06-29 | 2023-04-04 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11010474B2 (en) | 2018-06-29 | 2021-05-18 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11960605B2 (en) | 2018-06-29 | 2024-04-16 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
CN109445874A (en) * | 2018-11-15 | 2019-03-08 | 济南浪潮高新科技投资发展有限公司 | A kind of more activation systems and method with safety certification based on embedded Linux system |
US11196765B2 (en) | 2019-09-13 | 2021-12-07 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
US11706251B2 (en) | 2019-09-13 | 2023-07-18 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
Also Published As
Publication number | Publication date |
---|---|
US9213729B2 (en) | 2015-12-15 |
US9020925B2 (en) | 2015-04-28 |
US20130185292A1 (en) | 2013-07-18 |
US20140019456A1 (en) | 2014-01-16 |
US9063964B2 (en) | 2015-06-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9063964B2 (en) | Detecting application harmful behavior and grading application risks for mobile devices | |
Gamba et al. | An analysis of pre-installed android software | |
US11336458B2 (en) | Evaluating authenticity of applications based on assessing user device context for increased security | |
US11677764B2 (en) | Automated malware family signature generation | |
US9930071B2 (en) | System and methods for secure utilization of attestation in policy-based decision making for mobile device management and security | |
Mylonas et al. | Assessing privacy risks in android: A user-centric approach | |
US9268946B2 (en) | Quantifying the risks of applications for mobile devices | |
US8474004B2 (en) | System for implementing security on telecommunications terminals | |
JP6019484B2 (en) | Systems and methods for server-bound malware prevention | |
US8984628B2 (en) | System and method for adverse mobile application identification | |
US9235704B2 (en) | System and method for a scanning API | |
Calciati et al. | Automatically granted permissions in Android apps: An empirical study on their prevalence and on the potential threats for privacy | |
Shrivastava et al. | Privacy analysis of android applications: State-of-art and literary assessment | |
Mylonas et al. | A secure smartphone applications roll-out scheme | |
Zheng et al. | Security analysis of modern mission critical android mobile applications | |
Ito et al. | Detecting privacy information abuse by android apps from API call logs | |
Sikder et al. | A survey on android security: development and deployment hindrance and best practices | |
Jain | Android security: Permission based attacks | |
Montealegre et al. | Security vulnerabilities in android applications | |
Lee et al. | Privacy preserving collaboration in bring-your-own-apps | |
Mangset | Analysis of mobile application's compliance with the general data protection regulation (GDPR) | |
Nwobodo | Exploring Optimal Subsets of Statically Registered Broadcast Receivers and Permissions for the Prediction of Malicious Behavior in Android Applications | |
Weissbacher | Measurement and Detection of Security Properties of Client-Side Web Applications | |
Taylor | Security and privacy in app ecosystems | |
Saracino et al. | Risk analysis of Android applications: A user-centric solution Gianluca Dini, Fabio Martinelli, Ilaria Matteucci, Marinella Petrocchi |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: TRUSTGO MOBILE, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LI, XUYANG;BAO, CHENFU;WANG, LEI;SIGNING DATES FROM 20130116 TO 20130117;REEL/FRAME:030144/0578 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: BAIDU ONLINE NETWORK TECHNOLOGY (BEIJING) CO., LTD., CHINA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TRUSTGO MOBILE, INC.;REEL/FRAME:059903/0790 Effective date: 20211230 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |